[Cryptography] RC4 again (actual security, scalability and other discussion)

Hanno Böck hanno at hboeck.de
Sun Mar 9 07:33:44 EDT 2014

On Sun, 9 Mar 2014 07:20:26 -0400
Jerry Leichter <leichter at lrw.com> wrote:

> The reasoning here disturbs me.  Use chacha20 because "everyone out
> there thinks [it] provides very high security"?  Was a poll taken of
> "everyone out there" for any reasonable definition of "everyone"?
> And the *all* agreed?  Really?

Okay, my wording was a bit - let's say informal.

So let me rephrase my reasoning:
* Matthew Green thinks salsa20 is the way to go [1]. chacha20 is the
  successor of salsa20 with very few changes.
* Adam Langley tries to improve SSL and thinks chacha20 is the way to
  go [2]
* Dan Bernstein wrote chacha20 and was author of the latest rc4 attack
  - he probably also thinks his own invention is the way to go.
* OpenSSH authors think chacha20 is the way to go and added it to
  openssh 6.5.
* There's an ongoing debate in the TLS WG about chacha20. There are
  heated discussions about implementation details but I haven't yet
  read that anyone objects the idea in general to have chacha20.

I dare to say: I am not qualified to judge if a stream cipher is any
good. So the best thing I can do is look out there what people who I
know they know a lot about crypto say. There are a number of people who
think chacha20 is good. There is no famous cryptographer I'm aware of
that thinks it's really bad.

> What *is* important, though, is to avoid the temptation to rush off
> after "the new shiny", just because it's new and shiny.  Even most
> cryptosystems proposed by the best in the business - and djb is
> certainly in that category - don't survive the community's attacks.

Totally agreed. "new shiny" is not a reasonable category. But salsa20
has been out there for over 10 years. chacha20 is only a small variant
and it basically was improved based on the (few, highly theoretical)
attacks on salsa20.

I'm totally with "stand by the good proven old stuff if reasoanble".
I'd prefer RSA with long keys and PSS over any elliptic curve cipher
(even if it's done by DJB).

[2] https://www.imperialviolet.org/2014/02/27/tlssymmetriccrypto.html
Hanno Böck

mail/jabber: hanno at hboeck.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140309/f5d10f1e/attachment.pgp>

More information about the cryptography mailing list